Privacy Policy

This Privacy Policy describes how Pathshala Inc. (“Pathshala”) collects, uses, retains, and protects personal information in connection with the Pathshala OS hosted software platform (the “Service”). It is a companion to the Master Services Agreement (the “MSA”). Capitalised terms not defined here have the meanings given to them in the MSA.

When an institute, school, tutor, or other organisation (“Institute”) uses Pathshala OS: the Institute is the controller (or equivalent) of personal data about its admins, tutors, students, parents, and other Users; and Pathshala is a processor(or equivalent) acting on the Institute's documented instructions, which include the configuration choices the Institute makes in the portal and the terms of the MSA. For information Pathshala collects from visitors to its marketing site or from the signing Institute owner directly (e.g., the billing contact, the support requester), Pathshala acts as a controller.

We collect the following categories of personal information:

• Account & profile. Name, email address, password hash, phone number, profile image, role (admin / tutor / student / parent / staff), the Institute the account belongs to, and timezone or locale preferences.
• Institute identity & billing. Institute name, slug, custom domain, logo, brand colour, address, contact details, plan tier, billing cycle, Stripe customer and subscription identifiers, invoices, the last 4 digits of the card on file, billing email, and tax identifiers.
• Customer Content. Course material, lesson plans, assignments, quizzes, uploaded images and documents, messages and notifications sent through the Service, live session metadata (start/end, attendees), session recordings, and any other content Users submit. The Institute owns this content (see MSA §9).
• Usage & device. IP address, user agent, device type, operating system, pages viewed, actions taken, timestamps, performance metrics, and API call patterns — collected through standard server logs and lightweight, first-party analytics. We do not run third-party advertising trackers.
• Cookies & local storage. Strictly necessary cookies for authentication and session continuity, functional preferences (e.g., theme), and anti-abuse signals.
• Communications. Email correspondence with our support and legal teams, and the content of help tickets.

We use personal information to:

• operate, authenticate, secure, and deliver the Service to the Institute and its Users;
• process subscriptions, invoices, refunds, recording-overage charges, and tax;
• send transactional and account messages (e.g., login codes, billing notices, payment failure alerts, automatic-downgrade notices, deletion confirmations);
• provide support and respond to requests;
• monitor for fraud, abuse, security incidents, and to enforce the MSA;
• perform aggregate, de-identified analytics to improve the Service;
• comply with legal obligations (tax, accounting, lawful requests).

We do not sell personal information, do not rent it to data brokers, do not use Customer Content to train generic third-party AI models without the Institute's express, written authorisation, and do not show third-party advertisements on the Service.

Pathshala uses a small set of carefully chosen sub-processors to operate the Service. Each sub-processor is under a written contract that obligates them to protect personal information on terms substantially similar to those in this Policy and the MSA:

• Amazon Web Services (AWS) — hosting, database (DynamoDB), object storage (S3), serverless compute, identity (Cognito), email (SES). Region: United States.
• Stripe, Inc. — subscription billing, payment processing, invoicing. Card data is collected by Stripe on its own pages; Pathshala does not store full card numbers.
• Live-class & recording provider — the third-party real-time video provider Pathshala uses to deliver live sessions and produce recordings. Recording files are then stored in AWS under Pathshala's account.
• Email / SMS delivery — Amazon SES for email; SMS providers as configured per Institute.
• Analytics & error tracking — first-party server-side logs; lightweight client error telemetry to help Pathshala detect outages and bugs.

We also disclose personal information when required by law (e.g., subpoena, court order), to enforce the MSA, to protect the rights, property, or safety of Pathshala, its Users, or the public, and as part of a merger, acquisition, or sale of assets — in which case the acquirer assumes this Policy.

Personal information is retained for as long as the Institute maintains an active Subscription. If the Institute cancels, stops paying, abandons the portal, or otherwise stops using the Service (an “Offboarding Event”):

• We retain the Institute's Customer Data for six (6) months from the Offboarding Event so the Institute can return, export, or migrate. After that period we permanently delete the data from production systems on a rolling basis.
• The Institute owner may at any time send a written request to admin@pathshalainc.com asking us to delete data ahead of the 6-month schedule. After we verify the requester, deletion from production systems takes a minimum of seventy-two (72) hours to complete because we need to stop scheduled jobs, drain caches, finish in-flight backups, and propagate the deletion across multiple systems.
• Encrypted offline backups may retain copies of deleted data for up to thirty (30) days after production deletion before they are overwritten on the normal rotation schedule. Those copies are not used for any operational purpose.
• Limited records may be retained beyond these windows where required by law (e.g., tax and audit retention for billing invoices) or in connection with a legal hold.

We maintain administrative, physical, and technical safeguards designed to protect personal information against unauthorised access, alteration, disclosure, or destruction. Highlights:

• TLS 1.2+ for all traffic between User devices and the Service.
• Encryption at rest for durable storage (AWS-managed keys).
• Strict per-Institute data isolation in the database tier.
• Role-based access controls, least-privilege production access, and audit logging.
• Vulnerability monitoring, automated dependency updates, and incident response procedures.

No system is 100% secure. If we confirm a security incident that has resulted in unauthorised access to or disclosure of unencrypted personal information of the Institute, we will notify the Institute owner without undue delay and assist the Institute's response as required by law.

Depending on where you live, you may have the right to access, correct, port, restrict, or delete the personal information Pathshala holds about you, and to object to certain processing. To make a request:

• If you are an admin, tutor, student, parent, or other User of an Institute's tenant, please contact your Institute directly first — the Institute controls your data on the platform and can usually answer and action requests faster. Pathshala will help the Institute respond as required by law.
• If you are the Institute owner or signing party, email admin@pathshalainc.com from the owner email on file. We will verify your identity and respond within the timeframe required by applicable law.

You may also opt out of non-essential marketing email from Pathshala at any time using the unsubscribe link in those messages. Transactional messages (billing notices, login codes, security alerts, deletion confirmations) cannot be unsubscribed because they are required to operate the Service.

Pathshala OS is sold to Institutes for use in institute-administered educational programs. When an Institute allows students under the age of 13 (or the equivalent age under applicable law) to use the Service, the Institute is responsible for obtaining any required parental consent and for ensuring its use complies with COPPA, FERPA, GDPR-K, or other applicable laws. Pathshala does not knowingly collect personal information directly from children outside an Institute's authorised use. If you believe a child has submitted personal information to Pathshala outside the Institute's authorised use, please contact us and we will take appropriate steps.

Pathshala is based in the United States and stores personal information on AWS infrastructure in the United States. If you access the Service from outside the United States, your personal information will be transferred to, stored in, and processed in the United States. Where required, we rely on appropriate transfer mechanisms (such as the EU Standard Contractual Clauses) to protect international transfers.

We may update this Privacy Policy from time to time. The effective date and version identifier at the top of this page reflect the current version. Material changes will be announced to the Institute owner's email on file at least thirty (30) days before they take effect, unless a shorter period is required by law.

To make a privacy or data request, file a complaint, or ask any question about this Policy, contact admin@pathshalainc.com or write to Pathshala Inc., 1240 Barksdale Dr NE, Leesburg, VA 20176, USA.